Skilled Cybersecurity People are Crucial, but Don’t Forget Strong Processes

White House Cybersecurity czar Michael Daniel recognizes the challenge that the government faces in competing with the private sector for top cyber- talent. In a recent interview he, like other federal cyber- leaders, touts the uniqueness of the federal cybersecurity mission and operational environment as prime factors in attracting cyber-technology people. “The things you get to do while working, for example, in law enforcement or in places in the intelligence community or DHS, those aren't things you get to do in the private sector.” Daniel acknowledges that the hiring process is overly cumbersome and that OPM and OMB are working to bring improvements, but change comes slowly. Meanwhile, as the lead agency for.gov cybersecurity, DHS continues to struggle to build and maintain its cyber- workforce.

Effective security continues to be inextricably tied to the quality of your technical workforce and the Defense Department is a prime example. At a recent NDIA Cyber Security Symposium, Maj. Gen. Earl Matthews, Director of Cyberspace Operations at the Air Force’s Office of Information Dominance and CIO Agency stressed the importance that skilled people and effective processes play in the cyber- equation. “Products will not save us because it’s about skill sets and process.”  Matthews went on to describe how the Air Force leverages a continuum of cybersecurity training that spans a service-member’s entire career, including targeted training at 6 years and 10 years of service. Taking such a long-range view makes workforce retention a critical factor.

It is true that talented and trained people are crucial, but a large part of operational cybersecurity success across the fed has to do with the government’s processes, as Matthews alluded, and that is the puzzle piece that connects the people to effectiveness. For the civilian agencies, that takes us to several areas where DHS has started to make some forward progress, like the CDM and ECS programs and the recent policy change to allow more rapid scanning of agency networks, etc. Even the highest-trained and best-equipped workforce will fall short in the mission without effective processes in place that addresses the entire cyber- kill chain – from detection and response to mitigation and remediation.